From 3f42307c64b1c669a77db2c1f7ecb56c529a54aa Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sun, 26 Apr 2026 18:06:32 +0100
Subject: [PATCH] fix(rate-limit): bypass middleware when
 ALLOW_DEV_TEST_ENDPOINTS=true
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Parallel Playwright runs (6 workers, all from 127.0.0.1) burned through the
100 req/min generalLimiter budget within the first ~30s, causing every API
call (including /api/dev/test-login and /api/dev/member-login) to return 429
for the rest of the window. Auth helper waitForURL then timed out at 45s with
no redirect ever firing — surfacing as 8 cascading test failures across
auth.spec.js, board.spec.js, and admin-members.spec.js.

The bypass mirrors the existing gate used by /api/dev/* endpoints: the env
var is opt-in and only set in development (.env) or by Playwright's
webServer config. Production never sets it, so rate limiting remains active.
---
 server/middleware/03.rate-limit.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/middleware/03.rate-limit.js b/server/middleware/03.rate-limit.js
index ac87ef7..5ee6103 100644
--- a/server/middleware/03.rate-limit.js
+++ b/server/middleware/03.rate-limit.js
@@ -43,6 +43,11 @@ export default defineEventHandler(async (event) => {
   const path = getRequestURL(event).pathname
   if (!path.startsWith('/api/')) return
 
+  // Bypass rate limiting in test/dev opt-in mode so parallel E2E runs from a
+  // single IP (127.0.0.1) do not exhaust the per-IP budget. Mirrors the gate
+  // used by /api/dev/* endpoints — only set in development and by Playwright.
+  if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return
+
   const ip = getClientIp(event)
 
   try {